ELA-513-1 ckeditor security update

multiple vulnerabilities

Related CVEs CVE-2021-33829 CVE-2021-37695

CKEditor, an open source WYSIWYG HTML editor with rich content support, which can be embedded into web pages, had two vulnerabilites as follows:


A cross-site scripting (XSS) vulnerability in the HTML Data
Processor in CKEditor 4 allows remote attackers to inject
executable JavaScript code through a crafted comment because
--!> is mishandled.


A potential vulnerability has been discovered in CKEditor 4
Fake Objects package. The vulnerability allowed to inject
malformed Fake Objects HTML, which could result in executing
JavaScript code.

For Debian 8 jessie, these problems have been fixed in version 4.4.4+dfsg1-3+deb8u1.

We recommend that you upgrade your ckeditor packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.